Groupe de travail. Analysis of Mobile Systems by Abstract Interpretation

Similar documents
Abstract Interpretation II

Two examples of numerical domains

Predicate Logic. Xinyu Feng 09/26/2011. University of Science and Technology of China (USTC)

Static Program Analysis using Abstract Interpretation

The Join calculus A calculus of mobile agents

Predicate Logic. Xinyu Feng 11/20/2013. University of Science and Technology of China (USTC)

A π-calculus with preorders

The Trace Partitioning Abstract Domain

Denotational semantics: proofs

Discrete Fixpoint Approximation Methods in Program Static Analysis

EE249 - Fall 2012 Lecture 18: Overview of Concrete Contract Theories. Alberto Sangiovanni-Vincentelli Pierluigi Nuzzo

Models of Concurrency

1 Introduction. 2 Recap The Typed λ-calculus λ. 3 Simple Data Structures

Relational Interfaces and Refinement Calculus for Compositional System Reasoning

A New Numerical Abstract Domain Based on Difference-Bound Matrices

Denotational semantics

A Note on Scope and Infinite Behaviour in CCS-like Calculi p.1/32

λ S : A Lambda Calculus with Side-effects

An Introduction to Hybrid Systems Modeling

Nominal Completion for Rewrite Systems with Binders

Adjoint Logic and Its Concurrent Semantics

Partial model checking via abstract interpretation

Cours M.2-6 «Interprétation abstraite: applications à la vérification et à l analyse statique» Examen partiel. Patrick Cousot.

Algebraic Trace Theory

A Calculus of Definitions

Overview: Synchronous Computations

Algebraic Trace Theory

Dense-Timed Pushdown Automata

The Octagon Abstract Domain

Extending ProVerif s Resolution Algorithm for Verifying Group Protocols

CS522 - Programming Language Semantics

Synthesis of Asynchronous Systems

Introduction to Kleene Algebras

Abstraction for Falsification

Logical Abstract Domains and Interpretations

Adding Recursion to Dpi

COMPUTER SCIENCE TRIPOS

Nominal Syntax and Semantics

Diagnosability Analysis of Discrete Event Systems with Autonomous Components

BASIC CONCEPTS OF ABSTRACT INTERPRETATION

The Expressivity of Universal Timed CCP: Undecidability of Monadic FLTL and Closure Operators for Security

Our Problem. Model. Clock Synchronization. Global Predicate Detection and Event Ordering

Relating State-Based and Process-Based Concurrency through Linear Logic

Lazy Mobile Intruders (Extended Version)

Predicate Logic. x. x + 0 = x. Predicate logic over integer expressions: a language of logical assertions, for example. Why discuss predicate logic?

Review of The π-calculus: A Theory of Mobile Processes

Model Checking: An Introduction

The Abstract Domain of Segmented Ranking Functions

Principles of Program Analysis: A Sampler of Approaches

Lecture Notes 7 Random Processes. Markov Processes Markov Chains. Random Processes

Mode checking in the Concurrent Logical Framework

«ATutorialon Abstract Interpretation»

Introduction to Abstract Interpretation. ECE 584 Sayan Mitra Lecture 18

A proof checking kernel for the λπ-calculus modulo

Principles of Program Analysis: Control Flow Analysis

Static Program Analysis

Software Verification

Semi-asynchronous. Fault Diagnosis of Discrete Event Systems ALEJANDRO WHITE DR. ALI KARIMODDINI OCTOBER

THEORY OF COMPUTATION (AUBER) EXAM CRIB SHEET

Model Checking & Program Analysis

Operational Semantics

Communication and Concurrency: CCS

07 Equational Logic and Algebraic Reasoning

Scheduling and Buffer Sizing of n-synchronous Systems

The syntactic guard condition of Coq

Reinforcement Learning

Lazy Strong Normalization

Compilers. Lexical analysis. Yannis Smaragdakis, U. Athens (original slides by Sam

Adding recursion to Dpi

The Many Faces of Modal Logic Day 4: Structural Proof Theory

Symbolic Trajectory Evaluation (STE): Orna Grumberg Technion, Israel

Normalization by Evaluation

Concurrent Processes and Reaction

Meta-reasoning in the concurrent logical framework CLF

A hierarchy of Constraint Systems for Data-Flow Analysis of Constraint Logic-Based Languages

Tutorial on Semantics Part I

A Fixed Point Representation of References

A Calculus for Control Flow Analysis of Security Protocols

Deciding Validity in a Spatial Logic for Trees

AAA616: Program Analysis. Lecture 7 The Octagon Abstract Domain

Unranked Tree Automata with Sibling Equalities and Disequalities

Temporal Logic. Stavros Tripakis University of California, Berkeley. We have designed a system. We want to check that it is correct.

Mixing Finite Success and Finite Failure. Automated Prover

Existence and Consistency in Bounded Arithmetic

Beyond First-Order Logic

Notes on Abstract Interpretation

Temporal logics and explicit-state model checking. Pierre Wolper Université de Liège

Time. To do. q Physical clocks q Logical clocks

Formal Methods in Software Engineering

Normalisation by evaluation

Foundations of Informatics: a Bridging Course

INTRODUCTION TO PREDICATE LOGIC HUTH AND RYAN 2.1, 2.2, 2.4

Expressing Dynamics of Mobile Programs by Typing

Consistent Global States of Distributed Systems: Fundamental Concepts and Mechanisms. CS 249 Project Fall 2005 Wing Wong

Semantic Equivalences and the. Verification of Infinite-State Systems 1 c 2004 Richard Mayr

Semi-Automatic Distributed Synthesis

Abstractions and Decision Procedures for Effective Software Model Checking

A Language for Task Orchestration and its Semantic Properties

A Modular Rewriting Semantics for CML

Model Checking with CTL. Presented by Jason Simas

Transcription:

Groupe de travail Analysis of Mobile Systems by Abstract Interpretation Jérôme Feret École Normale Supérieure http://www.di.ens.fr/ feret 31/03/2005

Introduction I We propose a unifying framework to design automatic, sound, approximate, decidable, semantics to abstract the properties of mobile systems. Our framework is model-independent: = we use a META-language to encode mobility models, = we design analyses at the META-language level. We use the Abstract Interpretation theory. Jérôme Feret, LIENS 2 31/03/2005

Introduction II We focus on reachability properties. We distinguish between recursive instances of components. We design three families of analyses: 1. environment analyses capture dynamic topology properties (non-uniform control flow analysis, secrecy, confinement,...) 2. occurrence counting captures concurrency properties (mutual exclusion, non exhaustion of resources) 3. thread partitioning mixes both dynamic topology and concurrency properties (absence of race conditions, authentication,...). Jérôme Feret, LIENS 3 31/03/2005

A network Client Resource Server Jérôme Feret, LIENS 4 31/03/2005

Example: a 3-port server Jérôme Feret, LIENS 5 31/03/2005

Example: a shared-memory We consider the implementation of a shared-memory where: agents may allocate new cells, authorized agents may read the content of a cell, authorized agents may write inside a cell, overwriting the former content. The content of a cell is encoded by an output on a channel. We want to prove that the value of each cell never becomes ambiguous (i.e. there never are two outputs over the same channel). Jérôme Feret, LIENS 6 31/03/2005

π-calculus: syntax Name: infinite set of channel names, Label : infinite set of labels, P ::= action.p (P P) (ν x)p action ::= c! i [x 1,..., xn] c? i [x 1,..., xn] c? i [x 1,..., xn] where n 0, c, x 1,..., x n, x, Name, i Label. ν and? are the only name binders. fv(p): free variables in P, bn(p): bound names in P. Jérôme Feret, LIENS 7 31/03/2005

Non-standard semantics A refined semantics where: each recursive instance of processes is identified with an unambiguous marker; each name of channel is stamped with the marker of the process which has opened this channel. Jérôme Feret, LIENS 8 31/03/2005

Example: non-standard configuration (Server Client gen! 5 [] email 1! 2 [data 1 ] email 2! 2 [data 2 ]) ( ) { 1, ε, port (port, ε) ( { ) gen (gen, ε) 3, ε, port (port, ε) ( { 2, id 1, add (email, id 1 ) info (data, id 1 ) ( { 2, id 2, add (email, id 2 ) info (data, id 2 ) ( { ) 5, id 2, gen (gen, ε) ) ) Jérôme Feret, LIENS 9 31/03/2005

Extraction function An extraction function calculates the set of the thread instances spawned at the beginning of the system execution or after a computation step. β((ν n)p, id, E) = β (P, id, (E[n (n, id)])) β(, id, E) = β(p Q, id, E) = β(p, id, E) β(q, id, E) β(y? i [y].p, id, E) = {(y? i [y].p, id, E fv(y? i [y].p) )} β( y? i [y].p, id, E) = {( y? i [y].p, id, E fv( y? i [y].p) )} β(x! j [x].p, id, E) = {(x! j [x].p, id, E fv(x! j [x]p) )} Jérôme Feret, LIENS 10 31/03/2005

Transition system C 0 (S) = β(s, ε, ) C { (y? i [y]p, id?, E? ), (x! j [x]q, id!, E! ) } E? (y) = E! (x) i,j (C β(p, id?, E? [y i E! (x i )]) β(q, id!, E! )) C { ( y? i [y]p, id, E ), (x! j [x]q, id!, E! ) } i,j ( E (y) = E! (x) C {( y? i [y]p, id, E )} β(p, N ((i, j), id, id! ), E [y i E! (x i )]) β(q, id!, E! ) ) where N is the tree constructor. Jérôme Feret, LIENS 11 31/03/2005

Overview 1. Abstract Interpretation 2. Environment analysis 3. Occurrence counting analysis 4. Thread partitioning 5. Conclusion Jérôme Feret, LIENS 12 31/03/2005

Collecting semantics (C, C 0, ) is a transition system, We restrict our study to its collecting semantics: this is the set of the states that are reachable within a finite transition sequence. S = {C i C 0, i C} It is also given by the least fixpoint of the following -complete endomorphism F: { (C) (C) F = X C 0 {C C X, C C } This fixpoint is usually not computable automatically. Jérôme Feret, LIENS 13 31/03/2005

Abstract domain We introduce an abstract domain of properties: properties of interest; more complex properties used in calculating them. This domain is often a lattice: (D,,,,, ) and is related to the concrete domain (C) by a monotonic concretization function γ. A D, γ(a) is the set of configurations which satisfy the property A. Jérôme Feret, LIENS 14 31/03/2005

Numerical domains sign approximation; interval approximation; octagonal approximation; polyhedra approximation; concrete domain. Jérôme Feret, LIENS 15 31/03/2005

Abstract transition system Let C 0 be an abstraction of the initial states and be an abstract transition relation, which satisfies C 0 γ(c 0 ) and the following diagram: C λ C γ γ C λ C Then, S n Nγ(F n (C 0 )), where F (C ) = C 0 ( {C C C } ). Jérôme Feret, LIENS 16 31/03/2005

Widening operator We require a widening operator to ensure the convergence of the analysis: such that: X 1, X 2 D, X 1 X 2 X 1 X 2 : D D D for all increasing sequence (X n) ( D ) N, the sequence (X n ) defined as { X 0 = X 0 X n+1 = X n X n+1 is ultimately stationary. Jérôme Feret, LIENS 17 31/03/2005

Abstract iteration The abstract iteration (C n ) of F defined as follows C 0 = C 0{ C n+1 = C n if F (C n ) C n C n F (C n ) otherwise is ultimately stationary and its limit C satisfies lfp F γ(c ). Jérôme Feret, LIENS 18 31/03/2005

Example: Interval widening We consider the complete I lattice of the natural number intervals. I does not satisfy the increasing chain condition. Given n a natural number, we use the following widening operator to ensure the convergence of the analyses based on the use of I: { a, b c, d = min{a, c}, if d > max{n, b} I J = I J otherwise Jérôme Feret, LIENS 19 31/03/2005

Approximate reduced product The Abstract Interpretation framework provides tools for making the product of several abstractions. Abstract properties may refine each other to get better results. An abstract computation step is enabled if and only if it is enabled in all abstractions. Jérôme Feret, LIENS 20 31/03/2005

Approximate reduced product Given two abstractions (D, γ, C 0, ) and (D, γ, C 0, ), and a reduction ρ : D D D D which satisfy: (A, A) D D, γ(a) γ(a) γ(a) γ(a) where (a, a) = ρ(a, A). Then (D, γ, C 0, ) where: D = D D ; is pair-wisely defined; γ(a, A) = γ(a) γ(a); C 0 = ρ(c 0, C 0 ); (A, A) ρ(c, C) if B C and B C and (B, B) = ρ(a, A) is also an abstraction. Jérôme Feret, LIENS 21 31/03/2005

Overview 1. Abstract Interpretation 2. Environment analysis 3. Occurrence counting analysis 4. Thread partitioning 5. Conclusion Jérôme Feret, LIENS 22 31/03/2005

Generic environment analysis = Abstract the relations among the marker and the names of threads at each program point. For any finite subset V V, (Id (V (Label Id))) γ V Atom V. The abstract domain C is then the set: C = p PAtom I(p) related to (C) by the concretization γ: γ(f) = {C (p, id, E) C = (id, E) γ I(p) (f p )}. Jérôme Feret, LIENS 23 31/03/2005

Abstract communication? Variable Property Environment Property Relational Information y?[y].(νp)p x![x].(νq)q Synchronization Constraint Jérôme Feret, LIENS 24 31/03/2005

y?[y].(νp)p Extending environments x![x].(νq)q Environment Property Environment Extension Relational Information Variable Property Synchronization Constraint Jérôme Feret, LIENS 25 31/03/2005

Synchronizing environments y?[y].(νp)p x![x].(νq)q Environment Property Environment Extension Relational Information Variable Property Synchronization Constrai Jérôme Feret, LIENS 26 31/03/2005

y?[y].(νp)p Propagating information x![x].(νq)q Environment Property Environment Extension Relational Information Variable Property Information closure Jérôme Feret, LIENS 27 31/03/2005

Generic primitives We only require abstract primitives to: 1. extend the domain of the environments, 2. gather the description of the linkage of the syntactic agents, 3. synchronize variables, 4. compute information closure, 5. separate the descriptions, 6. restrict the domain of the environments. Jérôme Feret, LIENS 28 31/03/2005

Thread abstraction: Structure For any finite V V, 1. (Atom V, V) is a pre-order; 2. Env V = Id (V (Label Id)); 3. γ V : Atom V (Env V), a V b = γ V (a) γ V (b); 4. : V (Atom V ) Atom V, a A, a V 5. V Atom V, γ( V) = ; 6. V is a widening operator; V (A); Jérôme Feret, LIENS 29 31/03/2005

Thread abstraction: Abstract primitives 1. initial environment abstraction: ε Atom, {(ε, )} γ (ε ); 2. abstract name restriction: x V \ V, l Label, A Atom V, ν (x, l, A) Atom V {x}, (id, E (id, E) Env V ) γ V (A), V {x} E(x) = (l, id), γ V {x}(ν (x, l, A)); y V, E(y) (x, id) 3. abstract garbage collection: X V, A Atom V, GC (X, A) Atom X, {(id, E X ) Env X (id, E) γ V (A)} γ X (GC (X, A)). Jérôme Feret, LIENS 30 31/03/2005

Thread tuple abstraction: Domain For any tuple (V i ) 1 i n of finite sets of variables, is an abstract domain. Molecule (V i ) 1 i n No structure is required (no extrapolation); γ (Vi ) 1 i n : Molecule (V i ) 1 i n (Π 1 i n (Env Vi )). Jérôme Feret, LIENS 31 31/03/2005

Thread tuple abstraction: Conversion 1. abstract injection: V V, A Atom V, INJ (A) Molecule (V) γ V (A) γ (V) (INJ (A)). 2. abstract product: A Molecule (U i ) 1 i m, B Molecule (V i ) 1 i n, A B Molecule (U i ).(V i ) { (e i ) i 1;m+n (e i ) 1 i m γ (Ui )(A) (e i+m ) 1 i n γ (Vi )(B) } γ (Ui ).(V i )(A B). 3. abstract projections: A Molecule (V i ) 1 i n, k 1; n, PROJ (k, A) Atom { } (id k, E k ) (idi, E i ) i γ (Vi ) i (A) γ Vk (PROJ (k, A)). Jérôme Feret, LIENS 32 31/03/2005

Thread tuple abstraction: Abstract extension Given: (V i ) 1 i n ( (V)) n ; X V 1; n ; A Molecule (V i ) { ; U i = V i \ {x (x, i) X} we define W i = V i {x (x, i) X} then: (unchanged variables) (extended interface); { (id i, E i ) Π(Env Wi ) NEW (X, A) Molecule (W i ) } (id i, E i ) γ (V i )(A), i 1; n, E i U = E i Ui i γ (Wi )(NEW (X, A)). Jérôme Feret, LIENS 33 31/03/2005

Thread tuple abstraction: Abstract synchronization Given: A Molecule, (V i ) 1 i n (p i ) L n p, S {(x, k) (y, l) {=; }, x V k {I}, y V l {I}}; then: SYNC (S, (p i ), A) Molecule (V i ), {(id i, E i ) γ (Vi )(A) (a b) S, ρ(a) ρ(b)} γ (Vi )(SYNC (S, (p i ), A)), where ρ((x, i)) = E i (x) when x V i and ρ((i, i)) = (p i, id). Jérôme Feret, LIENS 34 31/03/2005

thread tuple abstraction: Abstract marker allocation Given: (p i ) L n p; A Molecule (V i ), Then: FETCH ((p i ), A) Molecule (V i ) (id i, E i ) where id i = i 1; n, (id i, E i ) γ (Vi )(A) id i id 1 x V i, y Label, (y, id 1 ) E i (x) { N ((p i ) 1 i n, id 1,..., id n ) if i = 1 id i otherwise. γ (V i )(FETCH ((p i ), A)) Jérôme Feret, LIENS 35 31/03/2005

Given: Abstract operational semantics: Reactive molecule R = (n, components, compatibility, v-passing, broadcast) a formal rule, (p k ) 1 k n (L p ) n, param k l (V ) n, constraints k ({x y {=; }, x, y V}) n, C C env; We compute SYNC (R 0 1 k n R k, (p k ), mol) where: mol = INJ (C (p 1 ))... INJ (C (p n )); R 0 = {σ(x) = σ(y) (X, Y) compatibility}, with σ(i k ) = (I, k) and σ(x k l ) = (paramk l, k); k 1; n, R k = {(x, k) (y, k) x y constraints k }; Jérôme Feret, LIENS 36 31/03/2005

Abstract operational semantics: Marker computation and value passing We perform name passing and marker allocation in the same time: 1. we introduce ghost variables; 2. we pass values to these ghost variables; 3. we compute markers; 4. we synchronize updated variable with their ghost twin. Jérôme Feret, LIENS 37 31/03/2005

Given: R = (n, components, compatibility, v-passing, broadcast), (p k ) 1 k n (L p ) n, param k l (V ) n, bd k l (V ) n, molecule Molecule, (I(p i )) 1 i n (Z l ) l N be a family of fresh distinct ghost variables in V; We locate the variables that are bound by the communication: A = {(k, l) 1 k n, 1 l n-vars(components(a))}; create ghost variables: C 1 = NEW ({(Z l, k) (k, l) A}, molecule ); Jérôme Feret, LIENS 38 31/03/2005

bind them to their values: C 2 = SYNC (cons 1 cons 2, (p k ), C 1 ), where: { cons 1 = {(Z l, k) = (param k l, k ) k, k, l, l N, v-passing(y k l ) = Xk l }, cons 2 = {(Z l, k) = (I, k ) k, k, l N, v-passing(y k l ) = Ik }, allocate markers: C 3 = { FETCH ((p k ), C 2 ) C 2 forget useless information: if type(components(1)) = replication otherwise. C 4 = NEW ({(bdk l, k) (k, l) A}, C 3 ); copy ghost variable in their correct twin: C 5 = SYNC ({(Z l, k) = (bd k l, k) (k, l) A}, (p k ), C 4 ). ; Jérôme Feret, LIENS 39 31/03/2005

Abstract operational semantics: Fresh value allocation Given: E s V s Label, we can write Dom(E s ) = {x i 1 i q}; A Atom V ; We compute C n where: C 0 = GC (V \ {Dom(E s )}, C), C k+1 = ν (x k+1, E s (x k+1 ), C k ), k 0; n. Jérôme Feret, LIENS 40 31/03/2005

Abstract operational semantics: Continuation launching Given: R = (n, components, compatibility, v-passing, broadcast), (p k ) L n p, mol Molecule, (fv(p k )) 1 k n (ct k ) ( (L p (V Label))) n ; We compute: [ { p GC (I(p ), update (E s, PROJ (k, mol))) I(p ) k, (p, E s ) ct k } Jérôme Feret, LIENS 41 31/03/2005

Abstract operational semantics: Broadcast value passing I Given: mol the reactive molecule, C C env the abstraction of the system before broacast value passing, R = (n, components, compatibility, v-passing, broadcast), param k l (V ) n ; p L p ; We want to update the abstraction of threads of program point p. First, we compute mol INJ (C (p)). Jérôme Feret, LIENS 42 31/03/2005

Abstract operational semantics: Broadcast value passing II Then, we condider all cases ρ I(p) {0} Dom(broadcast), such that the value x of each variable v at program point p: 1. does not match with the value of any formal variable in Dom(broadcast), and we write (ρ(v) = 0), in such a case, the value x remain unchanged; 2. is substituted by the value of the formal variable broadcast(x) in such a case, x matches the value of X, and we write (ρ(v) = X). We partition according to all potentitial ρ. Jérôme Feret, LIENS 43 31/03/2005

Abstract operational semantics: Broadcast value passing III For any ρ, 1. we take into account partitioning constraints; 2. we introduce a ghost variable for each variable x such that ρ(x) 0; 3. we synchronize these ghost variables with the correct value; 4. we forget any information about any variable x such that ρ(x) 0; 5. we synchronize replaced variables with their ghost twin. Jérôme Feret, LIENS 43 31/03/2005

2024 © sciencedocbox.com Privacy Policy | Terms of Service | Feedback